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Introduction 


DIGITALEUROPE firmly believes in the potential of Gaia-X to become a pioneering 
initiative to Support innovative data exchanges and cloud and edge uptake in 
Europe via concrete business use cases. We joined Gaia-X among its first day-1 
members and plan to contribute to Gaia-X’s deliverables and operations. 


Having replied to the consultation organised on the policy rules document (PRD 
21.04), we now share the below general comments and recommendations based 
on our response. 


General observations 


>> High-Level Objectives: We greatly welcome the proposed high-level 
objectives (HLOs) as a constructive base to develop the Gaia-X ecosystem 
around workable policy rules. The new format of the HLOs as general, 
clear, and concise set of rules for all sectors is a much better option than 
sector-specific rules. If the scope of the HLOs was to be broadened in 
future versions of the policy rules, we would encourage further consultation 
of the Gaia-X community, with a reasonable timeline for input. 


> Compliance metrics & standardisation: We soon expect the policy rules 
to be complemented by related metrics (e.g., standards) that can be used 
to demonstrate conformance. In that context, it is very positive that Gaia-X 
seeks to reflect the work and best practices of long-established European 
and international standards developing organisations. When assessing 
standardisation needs, we believe that it would benefit all Gaia-X 
participants if identified and proposed standards and mechanisms are as 
much as possible internationally recognised and accepted (e.g., ISO/IEC 
or international fora/consortia like Oasis, IETF etc.). 


= It is important that Gaia-X adheres to metrics that a) were 
developed through sufficient due-process-based procedures and 
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safeguards, b) are broadly recognised and accepted by impacted 
industry players and/or c) were developed with sufficient industry 
stakeholder participation and support. 


>> Common rules for laaS, PaaS, SaaS: Laying out common objectives for 
all type of cloud services (laaS, SaaS and PaaS) simplifies the 
understanding of related requirements for both providers and users. 
Avoiding completely different sets of rules is useful as boundaries between 
different types of cloud offerings are rather blurred and ill-defined. We 
therefore strongly welcome the design of a framework for a shared 
responsibilities model, which, if relevant, can define clear responsibilities 
and tasks for each service. 


>> Third-party verification: Preference shall be given to self-declaration or 
other industry-supported conformance approaches over third-party 
verifications. Any third-party certification schemes should only be used 
where appropriate and relevant, as they would represent substantial audit 
and record-keeping costs to Gaia-X-participating service providers. It is 
important that the conformity assessment framework of Gaia-X ensures 
integrity, neutrality and effectiveness and leverages the ISO/IEC CASCO 
framework’ and relevant standards. 


>> Link with the Architecture of Standards: The Gaia-X policy rules and the 
architecture of standards are closely connected, but this relationship is not 
entirely clear yet. With the architecture of standards being also an evolving 
document, it is important to ensure consistency and consult the community 
on the links between the two. 


>> Implementation & scope: The PRD does not yet detail how the policy 
rules will be implemented and enforced in practice, and if it will be 
considered a code of conduct. The structure, purpose/objectives and the 
level of granularity should be further assessed to indicate which exact 
framework should be followed in each section and which maturity levels 
correspond, including a roadmap for getting to higher maturity levels (with 
justifications). This would make the PRD easier to understand by the wider 
Gaia-X community. 


>> Governance: Without prejudice to the policy rules, it is crucial for Gaia-X 
to have a sound governance structure supporting its development as well 
as the review and approval of proposed Gaia-X requirements, policies or 
programmes (cf. in this regard our governance recommendations from 


1 Toolbox available here: htips://casco.iso.org/toolbox.htm! 
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March?). This includes having clear and written governance documents that 
are developed through transparent and inclusive processes, such as by- 
laws, internal rules, committee/working group procedures, policies, etc. 
Those documents should address issues such as IPR (patent, copyright 
and trademark issues), public comment and/or written records processes, 
competition policy, etc., covering the four different Gaia-X activities, with 
the opportunity for review and feedback. The absence of some of these 
procedures and rules creates legal uncertainty and makes it more difficult 
for stakeholders to engage. 


= To support a sound governance, Gaia-X should use OSI- 
recognised open-source licensing to drive relevant Gaia-X activities 
such as its Federation services. In doing so, Gaia-X will attract the 
support of the open-source community to collaborate and build out 
commoditised and modular solutions upon which companies can 
further differentiate and add value. 


On" 4 Concrete observations & suggestions 


>> 


>> 


>> 


Clarity & alignment of definitions: The definitions included in the PRD 
such as ‘asset’ or ‘service offering’ should be more precise and aligned with 
definitions of the same concepts in other Gaia-X documents (architecture 
documents). Furthermore, we propose adding a clear clause in the PRD’s 
introductory section stating that “The current policy rules apply to service 
offerings offered in the Gaia-X ecosystem”, rather than only mentioning this 
principle in the recitals. 


Geographical scope: There is a general vagueness with regards to the 
PRD’s jurisdictional scope. We recommend clarifying the PRD’s scope, as 
many Gaia-X participants need to operate globally for both their own 
facilities and their global supply chains and will therefore also be subject to 
regulations in non-EU jurisdictions. 


= Notably, clause B.5.2 of the PRD should not conflict with the legal 
obligations of any company with ties to a jurisdiction that could 
compel access to data without customer consent. 


Links with EU legislation: The PRD contains provisions from selected EU 
legislation such as the GDPR. Companies are already complying with all 


2 DIGITALEUROPE’s principles for a successful Gaia-X ecosystem, March 2021, 
httos://www.digitaleurope.org/resources/digitaleuropes-principles-for-a-successful-gaia-x- 
ecosystem/ 
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EU legislation that entered into force: the PRD should then only refer to 
applicable legislation when proposing implementation solutions (e.g. third- 
party certification and use of relevant codes of conducts under the GDPR), 
and avoid replicating requirements stemming from such legislation. 


>> Links with standards & codes: The policy rules should leverage relevant 
existing standards and codes of conduct to facilitate implementation. 


= For the cybersecurity section, references to relevant ISO standards 
should be included rather than creating new similar (yet different) 
provisions. When there are references to national certification 
schemes’, it is important to clarify how they interrelate and are 
recognised by other EU countries, and to mention any other EU- 
wide or international option. 


= For the portability section, the PRD should only refer to the Free 
flow of non-personal data regulation and its mechanism for 
promotion of data flows via data porting. Any data portability 
implementation details should be delegated to the ecosystem 
supporting the regulation (such as SWIPO). 


> Data spaces: 


= Relationship with Gaia-X: Beyond the current scope of the policy 
rules, we recommend to further clarify the relationship between the 
Gaia-X AISBL, its data spaces activities and its national hubs. For 
Gaia-X members who want to support and participate in the 
ecosystem, it is important to fully understand the respective roles 
and interactions. Furthermore, it is crucial that all Gaia-X initiatives 
supporting the data spaces are designed in coordination with the 
Common EU data spaces backed by the European Commission, 
ensuring alignment and avoiding duplication of initiatives. 


= Sector-specific rules for data spaces: The policy rules should not 
elaborate on the data sharing rules and policies within the Gaia-X- 
supported data spaces. The PRD should thus note that there will 
be rules and policies specific to each data space, duly considering 
the singularities and inherent particularities of every sector. 


3 For instance, French (ANSSI SecNumCloud) and German (BSI C5). 
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| 
| DIGITALEUROPE represents the digital technology industry in Europe. Our members include l 
l some of the world’s largest IT, telecoms and consumer electronics companies and national l 
| associations from every part of Europe. DIGITALEUROPE wants European businesses and l 
! citizens to benefit fully from digital technologies and for Europe to grow, attract and sustain the l 
| world’s best digital technology companies. DIGITALEUROPE ensures industry participation in l 
the development and implementation of EU policies. 
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Corporate Members 


Accenture, Airbus, Amazon, AMD, Apple, Arçelik, Atos, Autodesk, Bayer, Bidao, Bosch, Bose, Bristol-Myers 
Squibb, Brother, Canon, Cisco, DATEV, Dell, Dropbox, Eli Lilly and Company, Epson, Ericsson, ESET, 
Facebook, Fujitsu, GlaxoSmithKline, Global Knowledge, Google, Graphcore, Hewlett Packard Enterprise, 
Hitachi, HP Inc., HSBC, Huawei, Intel, Johnson & Johnson, JVC Kenwood Group, Konica Minolta, Kyocera, 
Lenovo, Lexmark, LG Electronics, Mastercard, Microsoft, Mitsubishi Electric Europe, Motorola Solutions, 
MSD Europe Inc., NEC, NetApp, Nokia, Nvidia Ltd., Oki, OPPO, Oracle, Palo Alto Networks, Panasonic 
Europe, Philips, Pioneer, Qualcomm, Red Hat, ResMed, Ricoh, Roche, Rockwell Automation, Samsung, 
SAP, SAS, Schneider Electric, Sharp Electronics, Siemens, Siemens Healthineers, Sky CP, Sony, Swatch 
Group, Technicolor, Texas Instruments, Toshiba, TP Vision, UnitedHealth Group, Visa, VMware, Waymo, 
Workday, Xerox, Xiaomi, Zoom. 


National Trade Associations 


Austria: IOÖ Germany: bitkom, ZVEI Romania: ANIS 

Belarus: INFOPARK Greece: SEPE Slovakia: ITAS 

Belgium: AGORIA Hungary: IVSZ Slovenia: ICT Association of 
Croatia: Croatian Ireland: Technology Ireland Slovenia at CCIS 

Chamber of Economy Italy: Anitec-Assinform Spain: AMETIC 

Cyprus: CITEA Lithuania: INFOBALT Sweden: Teknikféretagen, 
Denmark: DI Digital, IT Luxembourg: APSI IT&Telekomféretagen 
BRANCHEN, Dansk Erhverv Netherlands: NLdigital, FIAR Switzerland: SWICO 
Estonia: ITL Norway: Abelia Turkey: Digital Turkey Platform, 
Finland: TIF Poland: KIGEIT, PIIT, ZIPSEE ECID 

France: AFNUM, SECIMAVI, Portugal: AGEFE United Kingdom: techUK 
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